Authorization and Authentication Infrastructure

Authorization and Authentication Infrastructure

Daan Broeder & Dieter Van UytvanckMax Planck Institute for Psycholinguistics

[email protected]

CLARIN-NL Info Session

Nijmegen

2009-07-01

CLARIN-NL Info SessionNijmegen

2009-07-01

www.clarin.eu

Overview

CLARIN and the holy grail Traditional Federations AAI prototype Planning


2009-07-01

www.clarin.eu

CLARIN and the Holy Grail (1)

A researcher authenticates at his/her own organization and creates a “virtual” collection of resources from different repositories.


2009-07-01

www.clarin.eu

CLARIN and the Holy Grail (2)

browsing a catalogue, searching through metadata, or searching in resource content.

workflow specification tool to process this virtual collection with possibly a mix of home grown and remote service components.

Resulting data can be added to the origin repositories (with “virtual” collection)

For our domain this is very ambitious and challenging, but even a partial realization is worthwhile!


2009-07-01

www.clarin.eu

Traditional Federations (1)

FederationExternalLocal

DB

HTTP

HTTP

HTTP

LDAP LDAP LDAP

SAML(HTTP)

IDP

DB

IDP

SP

B

SP

B B

SP

HTTP

From a local user store to a traditional federation…


2009-07-01

www.clarin.eu

Traditional Federations (2)

IdP

SPIdP

SP

IdP SP


2009-07-01

www.clarin.eu

CLARIN AAI prototype (1)

IDP

SPIDP

SP

IDP SP

IDP

SPIDP

SP

IDP SP

(Identity) Federation


2009-07-01

www.clarin.eu

CLARIN AAI Prototype (2)

7 Service Providers: INL, Meertens Instituut, MPI IDS, DFKI, BBAW CSC / U Helsinki

3 national Identity Federations: SurfFederatie (NL) DFN (DE) HAKA (FI)


2009-07-01

www.clarin.eu

AAI prototype agreements

Two options: One SP signs on behalf of

all participating SPs (1xN, preferred)

Every SP signs a separate contract with each national Identity Federation (NxN, more fuss but feasible)


2009-07-01

www.clarin.eu

Planning

Before end 2009: prototype federation WP7: contractual issues WP2: technical aspects

Keep good contacts with GEANT3/TERENA/eduGAIN Talks with CSC about implementing a common code of

conduct service

Thank you for your attention

CLARIN has received funding fromthe European Community's Seventh Framework Programme

under grant agreement n° 212230


2009-07-01

www.clarin.eu

Backup slides


2009-07-01

www.clarin.eu

References

http://www.terena.org/activities/tf-emc2/meetings/12/slides/eduGAINstatus.pdf

http://www2.surfnet.nl/bijeenkomsten/rd2008/sheets/zandbelt.ppt http://www.clarin.eu/events/aai-hands-on-workshop

http://www.terena.org/activities/tf-emc2/meetings/12/slides/eduGAINstatus.pdf

http://www2.surfnet.nl/bijeenkomsten/rd2008/sheets/zandbelt.ppt

http://www.clarin.eu/events/aai-hands-on-workshop

CLARIN SP

Metadata

DFNMetadata

Metadata

Metadata

HAKA

SurfFederatie

Push SP metadata to national IdFvia protocol as chosen by the specific IdF

SMTP

SWITCH system

Include MD about IdPs within national IdF

?

CLARIN SP

Metadata

DFNMetadata

Metadata

Metadata

HAKA

SurfFederatie

Include MD about national IdPs in SP MD

eduGAINMetadata hub

With eduGAIN 2.0


2009-07-01

www.clarin.eu

Beyond the Traditional Federations:SPO

IDP

SPIDP

SP

IDP SP

IDP

SPIDP

SP

IDP SP

ServiceProviderFederation/Organization


2009-07-01

www.clarin.eu

AAI Issues & Challenges (1)

CLARIN is not an IdF Our intended clientele is too wide spread No special IdP configuration can be expected So, only a SP organization relying on national IdFs

What forms the SP organization (wrt. AAI)? LRT Community Standard contracts with the (national) IdFs Common set of CCs / licenses Attribute requirements

Shallow versus deep federation SPs specify auditing level No penalties


2009-07-01

www.clarin.eu


Attribute harmonization eduGAIN solves it all?

WAYF (& WFAYF) AAI software

Shibboleth and SimpelSamlPhp Is there more needed?

Guest accounts for the homeless


2009-07-01

www.clarin.eu


SSO for client applications E.g. downloading distributed virtual collections

SSO for web services Deal with workflows chaining web services from

different providers SSO when dealing with CCs, 3 options:

Leave it to the SP User attribute (~ IdP) Separate service, external attribute authorities.

Use of GRID resources Data GRID & Compute GRID


2009-07-01

www.clarin.eu

eduGAIN confederation

Connect national AAI on a pan-European level GEANT (2,3) workgroup: TF-EMC2 CLARIN: excellent use case!


2009-07-01

www.clarin.eu

CLARIN Federation Infrastructure

CLARIN wants to be a LR&T “service federation”• simplified and unified rules for licensing, accessing• agreements with national identity federations• must make sure all necessary attributes are available• cater also for A&A

• of non-web applications • and web services

• interaction with GRID AAI

national Identity Federations

eJournal Service Providers

LRT Service Providers

TrustAgreement

TrustAgreements

Dieter Van Uytvanck

difference trust relation: standardized CC for LRT <> NREN, less bureaucracy


2009-07-01

www.clarin.eu

DAM-LR EU project (1)

Small EU project (2005-2007) on archive integration of 4 partners

corpus/computational linguistics and endangered

language documentation Resource discovery: sharing a single metadata set

for searching & browsing Authentication & Authorization: single user identity,

single sign-on by using Shibboleth. Referencing and citing “archived resources” using a

single persistent identifier system.


2009-07-01

www.clarin.eu

DAM-LR EU project (2)

Experiences: Standard eduPerson attribute set is probably sufficient,

(but CCs …) Shibboleth is nice when using web applications, but

applications need access too! Shibboleth efficient when dealing with groups e.g. staff,

student, … But our domain has also to deal with individuals => store user IDs in authorization records

DAM-LR federation of both IdPs & SPs, CLARIN aims at a much larger potential user group whose home organizations do not want to run a CLARIN specific IdP => use the national IDFs


2009-07-01

www.clarin.eu

Applications need Authentication too

IdP

Shib.apache

user application

User scenario:Copying resources from different repositories to the local machine

archiveA

The application speaks only HTTP with basic authenticationIt does not understand form based authentication employed by the Shib. IdP

Shib.apache

archiveB

The application is also not able to profit from the SSO over archives

IMDIcopier

Possible solution:Use certificates for authenticationObtained by SLCS(But can auth. handshake be mimicked by software?)


2009-07-01

www.clarin.eu

CHAT

EAF

Shoebox

MPI Archive

DB/SE

Search service

Parsers “normalize” the structural format

Content search in one archive: no problem (check single DB)

Searching through annotations

Auth DB

IdP


2009-07-01

www.clarin.eu

CHAT

EAF

Shoebox

MPI ArchiveArchive B

DB/SEDB/SE

CHAT

Search service Search

service

Specialized web portal

Federative search scenario

Parsers “normalize” the structural format

Searching through annotations

AuthZ DB

IdPAuthN

AuthZ DB

The web portal app would like to act on behalf of the user and access the search services.


2009-07-01

www.clarin.eu

What do we aim for?

blah-blah blah-blah

blah-blah blah-blah

blah-blah


2009-07-01

www.clarin.eu

Licenses & Code of conducts 1

IdP

SPa

SPb

user

SP requires CC signed and takes care of this but only for its own domain

This can break the SSO if the user is required to sign the same CC several times

browser

CC DB

CC DB

CLARIN will harmonize the CCs and licenses to a limited number


2009-07-01

www.clarin.eu


IdP

SPa

SPb

user

browser

Store the CC DB info in the user attributes at the IdP (cfr Switch aaiUapprove)

But how does it get there?• Special app?• Not every IdP will/can run this

CC DB


2009-07-01

www.clarin.eu


IdP

SPa

SPb

user

browser

Create special CC service. This is part of the SPF independent of the IDFs

CC DB

CCservice


2009-07-01

www.clarin.eu

What do we aim for?

blah-blah blah-blah

blah-blah blah-blah

blah-blah


2009-07-01

www.clarin.eu

AAI Planning (1)

Training courses for AAI: support of SimplSAMLPhp, Shibboleth


2009-07-01

www.clarin.eu

AAI Planning (2)

Centers should make their policies explicit: Integration of SP with AAI IdP support for their users

Is there potential for a “fire brigade”? Help with configuration & integration MPG (RZG) does something there, who else?

Contracts with national IdFs (WP7) What role has eduGAIN?


2009-07-01

www.clarin.eu

What‘s next?

SLCS with SURFnet (preliminary research) Direct interaction with GEANT 3 (May 5/6) Talks with CSC about implementing a CC service

Documents

Authorization and Authentication Infrastructure